No announcement yet.

AD Multi Domain/Forest Questions

  • Filter
  • Time
  • Show
Clear All
new posts

  • AD Multi Domain/Forest Questions

    I have a couple of questions on having 2 seperate primary domain controllers talking to one another. The first PDC has been in production and is working great with multiple sites via WAN under the same forest. Lets call this one

    I recently just set up another primary domain controller for a new domain called "shc" and I have 2 other servers acting as Terminal servers and belong to the "shc" domain.

    I need users/members of the "" domain be able to reach & authenicate on the "shc" domain and vice versa. Also the Terminal Servers in "shc" domain must be able to reach a SQL server that is on the "" domain.

    just a little overview of the network topology.

    1 Router that has 2 subnets on it
    "" has a subnet of
    "shc" has a subnet of

    both domains are in the same server room, and are all functioning as win 2003 servers.

    Do I need to set up a site link for each domain along with a 2 way transitive trust?

    Do I/Can I set up AD replication to the new "SHC" domain so users of the "cpi/com domain can authenticate on the doamin and be able to read/write to the SQL box.

    I apoligize if this is confusing, please let me know if you need any other information to help with this.

    Thanks in advance.

  • #2
    Re: AD Multi Domain/Forest Questions

    Hi Craig,

    Looks like you need to do some reading about how trusts work and what domains and forests are.

    In either case, here is a brief intro:
    trusts between 2 domains (or forests in the case of forest trust) defines a relationship which allows security principals (user/computer accounts) from one domain to access resources in a foreign domain.
    Domain that has resources allows someone from outside to access it, hence, when creating trust relationships, it is referenced as "trusting". The other side, which is accesing the resources using it's user/computer accounts is called "trusted".

    Trusts can be either uni-directional (one-way trust) or bi-directional (two-way trust). Two-way trust is actually 2 simmetrical one-way trusts (each domain trusts the other and is trusted by the other).

    So lets take a look at an example:

    Domain A:
    NETBIOS domain name: DOM_RES
    DNS domain name:

    Domain B:
    NETBIOS domain name: DOM_ACC
    DNS domain name:

    If user from domain B (DOM_ACC\user1) wants to access resources in domain B (i.e.: network shares on DOM_RES\computer1), there needs to be a trust in place where DOM_RES trusts DOM_ACC (the other way to look at it is that DOM_ACC is trusted by domain DOM_RES).

    So, given this brief overview, you'll need to be a bit more specific about what accounts exactly (from which domain) need to access which resources (in which domain).
    After understanding what are the requirements, you will know what kind of trusts you need to create (one-way or two-way) and the directions of the trusts.
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"